Bank Cybersecurity in 2026: Why "Before the Attack" No Longer Exists

Three ISSP presentations in the past month — Artem Mykhailov on ISSP × D8 antifraud, Roman Solohub's talk on cyber resilience of the digital bank, and Roman's panel at FinTech Ukraine Forum 2026 on DORA, AI, and Ukrainian banks' readiness — come together into a single picture. Here it is.

One Person. One Prompt. One API Key.

Let's start with a story that isn't about banks. At least not yet.

A few months ago, a user had a simple idea. He took OpenClaw — an open-source agentic software, a "homemade" counterpart to commercial AI agents with computer access and the ability to build multi-step tasks. He gave it one job: "Go online, find absolutely every joke about not paying taxes in the US — and automatically file complaints on my behalf."

Why complaints? The US tax authority, the IRS, runs a Whistleblower program: you report a fellow citizen for tax evasion — and receive up to 30% of the penalty imposed. The person jokingly wrote that he expected to earn about half a million dollars a year from this scheme.

No deep skills. No vulnerabilities. No hacking. Just a cheap AI agent + an open reward system.

Now let's bring this into the banking space. Under PSD3, the bank is now required to prove that a transaction was not the result of phishing — otherwise it reimburses the customer. In other words, a new reward system with open rules has emerged. Imagine someone automating a stream of claims: "I was scammed, give me my money back." Imagine the scale.

This is 2026. AI didn't hack the bank. AI changed the economics of fraud — and did so on the side that previously required either a large team or deep expertise. Now it requires neither.

AI Is Not a New Weapon. AI Is Democratization.

At FinTech Ukraine Forum 2026, Roman Solohub framed the same idea from a different angle. This is an important clarification because it strips the unnecessary mystique from AI.

The analogy is precise. It once took a director, a camera operator, a sound engineer, post-production, and a budget to shoot a music video. Today, you can get a comparable result on a MacBook with a subscription to Claude or ChatGPT. No API, no team — just a subscription.

The same has happened with attacks.

No fundamentally new methods have appeared. The old ones have accelerated:

• phishing and social engineering;

• polymorphic threats;

• malware;

• automated content creation for attacks.

  
  

Factories producing polymorphic malware have emerged. Marketplaces have appeared where an attacker doesn't buy a "package" but orders a ready-made build, generation, delivery, and launch. Expertise is no longer a barrier — access to the service is enough.

The conclusion is simple: the amount of evil in the world hasn't changed — its accessibility has. Both attackers and defenders now have more tools. The only question is pace: attack dynamics have accelerated, so defense dynamics must accelerate too. Otherwise, it's still infantry versus cavalry.

"There Is No 'Before the Attack'"

Roman Solohub, CEO of ISSP, formulated a thesis in his talk on cyber resilience of the digital bank — one worth printing out and hanging in every boardroom:

This is not a figure of speech. Financial institutions are the #1 target globally by number of cyberattacks. In Ukraine, critical infrastructure holds the top spot due to the war and state-sponsored attacks, but banks firmly hold second place — "not far behind."

Here's a number that typically surprises even experienced CISOs: in a properly protected financial institution, 3–5 incidents per week breach the perimeter — and are contained by internal defense mechanisms. This isn't "someone, somewhere, once." This is every week. You just don't hear about them because they were stopped in time.

Roman suggests thinking about this as an immune system. Absolute protection doesn't exist — something always gets inside the organism. The question isn't whether the perimeter will be breached, but whether the organization has mechanisms to detect, respond to, and neutralize the threat. This is cyber resilience: the ability to function during an attack, rather than trying to live in the illusion that an attack won't happen.

Readiness is not a strategy presentation. It's the technologies, operations, and people that activate at the moment of impact.

The Regulatory Tsunami That Asks No One's Permission

Why has all of this intensified right now? Because several regulatory waves have hit banks simultaneously:

PSD3 — liability for phishing shifts to the bank; the bank must prove the customer was not deceived.

DORA — operational resilience becomes mandatory, with audits and process requirements.

VOP (Verification of Payee) — instant payee verification at the moment of payment.

NBU requirements — overnight monitoring, anti-drop measures, enhanced identification. Separately — new NBU requirements that bring financial sector information security regulation closer to DORA's logic.

Each new requirement means new rules. Each new rule means new alerts. Add them all together — and you get exponential growth in workload.

Alert volume is growing, response time is shrinking, and manual analysts physically cannot keep up.

This is where AI stops being "hype" and becomes a necessity. Not because it's trendy. But because the math simply doesn't work otherwise.

DORA Is About Practice, Not About Plans

A separate thought from Roman Solohub at FinTech Ukraine Forum 2026, worth highlighting: DORA represents a fundamentally new type of regulation.

Classic regulation has historically been about planning: asset identification, risk analysis, system protection documents, procedures, paper-based audits.

DORA changes the logic: it's about practice — about how an organization actually behaves during an attack.

Hence — TLPT, Red Team / Blue Team / Purple Team, incident response plan testing, real SOC exercises. Not "a policy folder on the shelf," but training — like in sports: regular, practical, against real scenarios.

The second important shift — supply chain enters the bank's perimeter of responsibility. Risks remain with the bank: they cannot simply be "passed on to the vendor." At the same time, the vendor itself, its reliability, and even the exit strategy from the vendor become regulatory objects.

This is the same direction in which local financial sector regulation in Ukraine is moving.

The AI Arms Race: Why Defense Must Keep Pace

While some debate whether to let AI into financial processes, the other side is already using it.

A few facts from the presentations that serve as a solid reality check:

Machines already find what humans missed for decades. Anthropic released a specialized security model that demonstrated ~70% better detection of zero-day vulnerabilities than humans. One example — a vulnerability in the FreeBSD operating system that had gone unnoticed for 27 years. The model found it in a few hours. It then took humans days just to understand how it worked. This was so serious that the company hesitated over whether to release the model at all.

The flow of critical vulnerabilities has multiplied. Until recently, weekly client briefings showed 1–2 critical vulnerabilities (RCE, score ~8) per week. Now — 5–6 per week with scores of 9.6–9.8. RCE stands for Remote Code Execution — the most dangerous class.

Most "users" are no longer human. Non-human identities — service accounts, API keys, bots, agents — already outnumber human ones by approximately 6 to 1, and the gap is growing exponentially. Traditional KYC and identity verification were built for humans. What do you do when most of what's knocking on your systems isn't human?

The conclusion is simple: if attacks scale through AI, then defense must scale through AI too. Otherwise, it's infantry fighting cavalry.

But AI Is Not a Magic Button

It's important to pause here, because after the demos, everyone wants to believe in magic.

The typical expectation sounds like this: "We'll feed all transactions and customer data into a model, it'll magically find the fraud, and we'll block it." We're not there yet. Close — but not there. And possibly, for compliance reasons, we won't be there for a long time when it comes to final decisions.

Why?

• There is no universal antifraud. Every bank's rules are unique. You can't copy them from Bank A to Bank B — different customer base, different payment patterns, different regions, different risks. Even the same system works differently in two banks.

• It's a living system. You're constantly in an arms race with fraudsters. Rules must evolve weekly. A static system simply dies.

• Don't break what works. The biggest risk is rolling AI on top of working processes and accidentally breaking them. This calls for conservatism.

• 
  

That's why the right approach in 2026 is not "replace analysts with AI," but give analysts AI as a tool. And that's exactly how the ISSP × D8 joint approach is built.

From Rules to Multi-Agent AI: The ISSP × D8 Path

ISSP has been partnering with D8 since 2019, and D8 itself (founded in 2002) is a financial technology vendor with the StrongHold platform, now in its 6th generation, with PCI DSS 4.0 certification and 6th AML Directive compliance. The architecture is built in layers.

Layer 1 — Rules (StrongHold Rule Engine). Dozens of signals, full logic transparency, real-time detection in milliseconds, post-authorization offline investigation, cross-channel correlation, custom sanctions screening. A complex system can't look like a toaster — otherwise its logic will be that of a toaster.

Layer 2 — AI Assistant directly in the interface. Four modes:

• Rule Builder — in natural language: "Create a rule: decline payments over $500 from high-risk countries" → the system proposes a ready-made rule → the analyst activates it.

• Event Explanation — "Why was event X flagged as suspicious, and which rules triggered?"

• Retrospective — "a second pair of eyes with perfect memory": review past data under a new hypothesis, evaluate false positives, check rule effectiveness.

• UI Actions — flag an event, add to whitelist/blacklist directly from the dialog.

Layer 3 — Agentic Workflows (ISSP AI Lab R&D). Not "vendor + ChatGPT," but proprietary multi-agent pipelines for real use cases. For real-time fraud: Triage agent (fast model) → enrichment via StrongHold API → Analysis agent(powerful model) → decision and case management. For AML: KYC alert → Profile agent (sanctions, PEP, OSINT) → risk scoring → SAR draft. Investigation time drops from hours to minutes.

One unwavering principle: the final decision always rests with a human. AI prepares — the human decides.

There's also Voora.ai — StrongHold in the cloud (AML + antifraud as SaaS, EU Tier III): fraud check <50 ms, sanctions screening <2 s, SLA 99.9%, 150+ sanctions data sources, from 10,000 transactions per day. And Mobile SDK — on-device antifraud: fingerprinting, behavioral telemetry, account takeover and SIM-swap detection, vendor-agnostic for the mobile application.

Resilience Is a System, Not a Product

This is where Artem's and Roman's presentations converge into a single thesis. Antifraud is only one half of the defense. The other half — the bank's cyber resilience as a system.

Roman breaks it down into three layers:

1. Technology — infrastructure, cloud, services, endpoints, identity.

2. Operations — identification, detection, response, recovery. This is where "blind spots" live, along with missing procedures and checkbox compliance.

3. People — employees, customers, management, contractors. Phishing, vishing, BEC, deepfakes.

Resilience emerges where all three layers operate as a single cycle: technology → SecOps → proactive threat hunting → training → and back to technology.

ISSP covers this with managed services: SOC-as-a-Service, MDR (Managed Detection & Response), CTEM (attack surface management), SOC Automation on top of your SIEM/EDR/XDR, and MSAT — managed security awareness training.

A strong separate point from Solohub about people. Training is not a campaign — it's a sport:

And phishing simulations should not be template-based ("here's a file with salaries"), but contextual: for the finance department — "urgent reconciliation report at 5 PM on Friday," for lawyers — "legislative changes." Because a person is either part of the problem or part of the solution. The choice depends on how much you invest in them.

Identity in the Age of AI Agents

It's no coincidence that both presentations converged around identity. If non-human identities already outnumber human ones six to one, and these agents act autonomously — who is responsible for their actions?

An AI agent without identity management is a car without airbags. If your agents lack identity governance, this is no longer a theoretical risk. It's your liability — right now.

Ukrainian Banks' Readiness: Better Than We Think

At FinTech Ukraine Forum 2026, a thesis was voiced that you rarely hear in public discourse, making it worth a dedicated section.

The logic is straightforward. Ukraine's financial sector has effectively been operating under hybrid warfare conditions since 2015–2017 — from attacks on energy and infrastructure to today's coordinated campaigns against the state, businesses, and financial organizations.

Over these years, banks have gone through what Europe is often still rehearsing in tabletop exercises:

• blackouts and operational infrastructure failures;

• targeted, coordinated cyberattacks;

• massive DDoS attacks;

• phishing campaigns;

• state-sponsored group activity.

Formally — yes, the regulatory part still needs strengthening: DORA compliance, harmonization with NBU requirements, process formalization, vendor testing, regular team exercises.

But in terms of actual resilience, Ukraine's financial sector has repeatedly demonstrated exactly what DORA was created for: the ability to withstand a hit and keep operating.

This is not a reason to relax. It's a reason to acknowledge a strong foundation and build the next level deliberately, rather than from scratch.

Bank Cybersecurity: Two Halves of One Defense

Let's bring it all together.

• "Before the attack" no longer exists. You live during the attack. Build immunity, not a fence.

• AI is not a new weapon — it's the democratization of access to old methods. Expertise is no longer a barrier — access to tools is what remains.

• Regulation leaves no choice. PSD3, DORA, VOP, and NBU requirements increase the number of scenarios, alerts, and processes the bank must control.

• DORA is about practice, not paper. Tabletop exercises, TLPT, Red Team / Blue Team / Purple Team, and SOC training are not optional — they're basic resilience hygiene.

• Supply chain is now inside the bank's perimeter. Vendors, their reliability, and exit strategies become part of cyber risk.

• AI is already on the attack side. Therefore, defense must operate at the same pace. But AI is not magic: decisions, accountability, and control remain with humans.

• Ukraine's financial sector is more prepared than it seems. Years of hybrid warfare have built real resilience. Now it needs to be formalized, strengthened, and regularly tested.

• Defense has two halves: AI-powered antifraud and cyber resilience as a system.

Separately, these are tools. Together — they form the bank cybersecurity model that withstands the blow and keeps operating.

Watch all three presentations in full:

• Antifraud That Works (Artem Mykhailov)

  https://youtu.be/tPRhkyXDz7M

• Cyber Resilience of the Digital Bank (Roman Solohub)

  https://youtu.be/pVoq1Wthr4s

  
  

• DORA, AI, and Ukrainian Banks' Readiness — FinTech Ukraine Forum 2026 panel

  https://youtu.be/Q4YJuH9xmfE

Learn more about antifraud for banks — https://ua.issp.com/antifraud. Want to discuss your specific case? Get in touch — we'll build a business case for your needs. https://www.issp.com